After you restart a Windows Vista Service Pack 1-based computer, the Network Access Protection Agent service may not start. Also, the Network Access Protection Agent service may not start if you try to manually restart the Network Access Protection Agent service.
Note Additionally, the following services may not start:
KtmRm for Distributed Transaction Coordinator
This issue occurs when Trust Server Group is configured incorrectly.
To resolve this issue, configure Trust Server Group. To do this, follow these steps:
Click Start, click Run, type gpmc.msc, and then press ENTER.
Locate and right-click Group Policy Object, and then click New.
Type NAP client settings in the Name box, and then click OK.
Right-click NAP client settings in the details pane, and then click Edit.
Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then locate System Services.
Click System Services, and then double-click Network Access Protection Agent in the details pane.
Click to select Define this policy setting, click Automatic, and then click OK.
Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Network Access Protection, expand NAP Client Configuration, and then locate Enforcement Clients.
Click Enforcement Clients, right-click IPsec Relying Party in the details pane, and then click Enable.
Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Network Access Protection, expand Health Registration Settings, and then locate Trusted Server Groups.
Right-click Trusted Server Groups, and then click New.
In the New Trusted Server Group dialog box, type Trusted HRA Servers, and then click Next.
In the Add URLs of the health registration authority that you want the client to trust text box, type https://servername.domainname /domainhra/hcsrvext.dl, click Add, and then click Finish.
Close Group Policy Management Editor.
Right-click NAP client settings, and then click Enable.
Restart your computer.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Health Registration Authority (HRA) discovery by Network Access Protection (NAP) clients
NAP clients must be able to discover the location of HRAs on the intranet before they start the health evaluation process of an IPsec NAP enforcement. This automated discovery process can occur by one of the following methods:
Trusted server groups configuration in Group Policy
You can configure trusted server groups from the Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\Health Registration Settings\Trusted Server Groups node in a local or Active Directory-based Group Policy setting. To configure trusted server groups, you can also use one of the following methods:
The NAP Client Configuration snap-in
The netsh nap client add|set|delete trustedservergroup command
The netsh nap client add|set|delete server command
The trusted server group is an ordered list of URLs that corresponds to the locations of the HRAs.
The DNS SRV record for HRAs
A NAP client that uses the IPsec Relying Party enforcement client can perform a DNS query for SRV records for the FQDN _hra._tcp.site_name._sites.domain_name record to discover the location of HRAs on the intranet.
A NAP client that runs Windows Server 2008, Windows Vista SP1, or Windows XP SP3 and uses the IPsec Relying Party enforcement client queries for the HRA SRV records if the following conditions are true: